I am a New York City-based journalist covering business, entrepreneurs & technology. I'm interested in the long and winding road from concept to launch to success (or failure), and all of the milestones in between. I have a degree in business journalism from Columbia University, I've worked in daily newspapers in the U.S. and briefly in India, and I've covered M&A and business strategy. In my time at Forbes I've focused on startups, tech and growing enterprises.
Send me sensitive documents and tips (NOT everyday pitches) at https://safesource.forbes.com/

Former NSA Security Architect Pushes Email Encryption For The Masses

Will and John Ackerly are touting email encryption for the people with their startup, Virtru.

Since former NSA contractor Edward Snowden began divulging information on how vulnerable our personal digital data is – and how much of it security organizations have been helping themselves to – the average web surfer has begun to think a bit more cynically about cyber security. That newfound suspicion creates a headache and a PR-fiasco for the NSA but opens doors for entrepreneurs in the world of online privacy.

Two such entrepreneurs are brothers Will and John Ackerly. The Ackerlys and their startup venture, Washington D.C.-based Virtru, are two weeks into the launch of a product that lets internet users encrypt any and all of their emails for free. Unlike competitors, the service acts as an add-on to your web browser and does not require the email recipient to have signed up for the service. That feature alone makes Virtu notable.

“What we’ve tried to do – and what’s different from what a lot of encrypted communication tools out there have done – is really spend time to integrate the encryption technology directly into Gmail, Yahoo, Outlook.com,” John Ackerly said.

There is no shortage of privacy and security products out there, but the brothers felt that if they created a simple system that required little technical know-how it would catch on with the tech-dyslexic and tech-savvy alike. “86% of Americans, while concerned about the privacy of their personal information, have not taken action because they don’t know where to go.”

Here’s how it works:

I downloaded Virtru as a Firefox add-on and a mobile app. On Firefox, each new email contains a small unobtrusive switch on the top right corner of the message window which turns encryption on (yes, it is opt in). Press “send” and Virtru encrypts the contents on your device with standard AES 256, then sends it to the recipient but separates the encryption key from the message. The recipient does not need to have downloaded Virtru to get the key but does need to confirm his or her identity by email address. Virtru holds the key to that decryption process and won’t fork it over without verification. According to Will Ackerly: “We also have a firewall that makes sure that every keystroke that you type inside the compose window never gets to the server.” Normally, he said, every single keystroke is recorded and sent to Google servers when using Gmail.

Virtru’s user to user blueprint.

On smartphone, the user can send out emails via the Virtru mail app that links to, say a Gmail app but only after verifying your identity on the device. Other free services include the ability to control whether your recipient can forward your message and the power to revoke access to the message after a chosen period of time, a la Snapchat.

The two brothers are in a unique position to build security solutions. Will Ackerly, the 33-year-old CTO, spent 8 years working as a cloud security architect for the NSA before taking his talents to the private sector in 2012. John, who is 39 and is Virtru’s CEO, served as associate director of the National Economic Council and director of the Office of Policy and Strategic Planning at the Commerce Department under President George W. Bush and.

Will Ackerly’s primary focus with the NSA was developing technology to protect data. “After my experience at NSA I really gained an appreciation for how hard it was for people to protect their data and an acute awareness that there’s a lack of tools out there for individuals to be able to protect their data.”

John Ackerly’s tenure under President George W. Bush coincided with September 11, 2001. Following the attacks on the World Trade Center, actions were taken concerning security that had long-lasting impact on the right to privacy, he explained. Massive technological change happening at the same time as major policy decisions led to an undeveloped sense of how much privacy a person can expect, how much data a third party should have access to and what the government is allowed to see. “It was a wonderful moment for me, from the policy perspective, to be talking to my brother around the kitchen table about technology that he was building at the NSA that very clearly could have a transformative impact on the way people feel about communicating online.”

The Ackerly brothers financed the company with their own money early on before raising $4.2 million from angel investors including Bob Pittman, CEO of ClearChannel. John was working for private equity firm Lindsay Goldberg in New York at the time and left to head the young firm. The extra money helped build out a team of developers and the company now stands at 11 full-timers and 24 part-time platform builders. It is a developer-heavy crew and some have experience working with Will at the NSA.

Email encryption is free (“and it will always be free,” they say) but the duo have formulated a revenue model consisting of soon-to-come paid features like attachment security, domain-level enterprise data management platforms, as well as the licensing of their technology to organizations that want to manage their own security keys. The fees themselves have yet to be determined but will be announced in the second quarter.

The majority of its angel round is still in place but the company is not profitable. Remaining cash will likely see Virtru through 2014 but the company could look to raise more money from investors after that.

Will Ackerly and his team have spent the past 18 months making sure the product works in all the top webmail providers and building out mobile apps. So far Virtru has launched its email privacy product as an add-on to Chrome, Firefox and iOS—and user numbers have reached the tens of thousands in less than a month (70% in the U.S.). That’s a limited app, to be sure, but in the coming weeks compatibility will spread to Internet Explorer, Safari and Android, as well as plugins for Outlook and Mac Mail.

Whistleblower Edward Snowden’s highly publicized disclosures of global surveillance and metadata interception has put the focus on privacy and products that can provide it. That attention has been a boon for the Ackerly brothers and their team, as it has for other security app products from new companies. Says John: “Having that ecosystem of players, we think that’s a great thing. We think that 2014 is going to be the year of encryption and of people embracing it for their personal lives. We think that’s one of the silver linings of the Edward Snowden revelations.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

No thats what RC4 SHA512 is for, damned big prime number, you create the private keys then you effectively own the public keys and if people want to read you mail, then they better BEG on there knee’s for you to share the public key!

The leaks tell you your device has a root-kit and there they are trying to password protected a rooted device in top 10 tips on how to password protect your shizle.

Then they recommend using a google alert on your name..

Use weak breakable encryption from MS Bitlocker instead of TrueCrypt

Turn on Authentication for GMAIL are you serious?

It doesnt matter if you clear the cookies, your landing page is Google and the immortal imoral cookie tracker, how about ditch that search engine and use one that doesnt track you like Scroogle or DuckDuckGo?!

Well you’ve got a choice you could use duckduckgo or motherpipe, i hear there servers are based in Germany where they take the citizens privacy rights seriously.

Saddly on Android devices you are locked into google, so thats not so bad you’d think, until you try to use another search engine and then watch what happens when you open your browser, its pretty sneaky it will still open the google homepage even if you’ve told it not too!

Same with Firefox downloaded off the android market, it still tracks all your activity and loads Google’s immortal cookie.. the beast that does not want to die!

i’ve pulled appart the underlaying OS being Android and it’s not just Angry Bird’s spying on you, the whole device is one giant tracking pad although I did read those GPS modules cost $675.000 for a box of 100 so that means my tablet is worth $6.750 wow, I mean just “wow”… that’s not what I paid for it and if they wont open source the drivers, then it’s only a matter of time before some enterprising programmer does with a tool like XPrivacy and then people are going to start popping up all over the world!

There software is a double edged sword… what it all boils down to is the biggest names in the Advertising Buisness, Google, Facebook, Microsoft, Yahoo, AoL etc and there disgusting lust for profits!

So as people got wise to it all and started to Block Advertising with things like Ad-Block and NoScript, this gave them all a huge problem because no one took time to look at there adverts, so dissappointed they decide to infect a load of devices made for everybody, children included and lock those devices into a restrictive service level agreement.

Want to know how you too can completely over-ride and destroy there tracking results?

Download firefox, then download the NoScript addon, then download modify headers and forge your browser header, then download geo-location and set you exact Geo-Possitioning to be inside the White-House now open up your anonymous relay, in this case a good VPN or the Tor network made to anonymise your connection… Now when your browser exits out of a Tor exit onto the Google landing page, the first thing your Geo-Location will reveal is that you are standing in the President’s oval office and now all your online adverts on youtube etc will all be in American and now you can start searching for what-ever you would like the President of the United States to be blamed for! Shall we go and find some really offensive websites.. yes i think so..

You are right on about those “free” e-mail services. They are making money hand over fist by selling your info to third parties. Last week when Yahoo blamed third parties for the account passwords theft it was made very clear. At www.americansrighttoprivacy.com you will remain anonymous as we DO NOT and WILL NOT copy, scan, or sell any of your content. Our email service is 100% privacy guaranteed. Privacy is not only a human right but also required to survive in a competitive business environment. We are very serious about protecting your electronic communications and due to the strict restrictions of the U.S. Patriot Act for law abiding citizens, we cannot align ourselves with servers located in the United States. Therefore, our servers are located in Switzerland where strong data privacy laws do not abide by the U.S. Patriot Act.

Seriously, I cant believe they would do that to people’s devices and then sell those devices to school-kids and when an adult buys one, takes it appart wanting to liberate there device from there software, no wonder they get upset!

I’m sure they’re having fun tracking the Paranoid Android which use’s this as part of it’s privacy framework already! There precious DATA that they are harvesting, spending billions of dollars to obtain has all been deliberately sabotaged by enlightened programmers and other hackers that think alike! ;)

Americans Right to Privacy DOES NOT collect your personal information. Did you know that Google, Yahoo, Hotmail, AOL and other service providers are scanning, analyzing and categorizing your emails every day? As a result, these numerous providers are pleased to give you a “free” email service because they generate large revenues for themselves through the selling of your personal information to third parties! 100% Privacy guaranteed. At www.americansrighttoprivacy.com you will remain anonymous as we DO NOT and WILL NOT copy, scan, or sell any of your content. Our email service is 100% privacy guaranteed. Privacy is not only a human right but also required to survive in a competitive business environment. We are very serious about protecting your electronic communications and due to the strict restrictions of the U.S. Patriot Act for law abiding citizens, we cannot align ourselves with servers located in the United States. Therefore, our servers are located in Switzerland where strong data privacy laws do not abide by the U.S. Patriot Act.

Why Switzerland? Switzerland’s strong privacy legislation. In Switzerland, for example, access to electronic communications by any authority requires an official warrant issued by a court in Switzerland. The Swiss specifically established a rate of privacy in their Constitution and reinforced it in their Data Protection Act which maintains that individuals and companies have a right to privacy in their electronic communications. This protection ensures that your information is safe from competing predators or agencies and entities with personal motives who pry into your privacy and steal your data without your knowledge. Your emails are saved and backed up in Switzerland and due to it’s strong legislation, there is no backdoor for any government in the world, not even for Switzerland itself, to access your emails and digital data.

Thats a nice thought, but there is one fundemental flaw that probably escapes there notice and that is that any programmer, anywhere, can simply setup there own SMTP mailer and DNS hosting locally and then none of them need to use any external service provider at all.

Feel free to troll the Mailbox there’s nothing in there and if I had something I wanted to send that was so damned secret, I wouldnt trust it to some third party provider. I would copy it to an encrypted SANS Disk and post it in the Mail.

Micro SSD marvelous invention of the digial age, just get yourself a USB plugin Card reader, make sure your not attached to the internet, copy what-ever is so damned important into a text file and simply type:

openssl RC4-SHA512 -a -salt -in secrets.txt -out secrets.txt.enc

Now copy the final *.enc to your Micro SSD, if you like go the extra step of hidding it under a sticker on the letter head.

My personal favorite is CryptoHeaven http:\\cryptoheaven.com it is running since 2001 and is the codebase for SaluSafe http:\\salusafe.com Checkout the source code on GitHub. The source code was recently posted on GitHub, but apparently it was always available on company’s website.